- strongswan would enumerate all the available transform in the first IKE_SA_INIT. But it might be too much and there are some that are not recognizable by Cisco SeGW, and SeGW will just drop it and no response.....
ike=aes128-sha1-prfsha1-Cisco SeGW reports:
modp1024,aes256-sha1-prfsha1- modp1024,3des-md5-prfmd5- modp1024,3des-sha1-prfsha1- modp1024,des-sha1-prfsha1- modp1
Too Many Transforms: 110And dump the packet at Cisco show something like:
(........a lot of transforms.........)
Transform Header #39Last (U08): Yes/0 (0x00)Reserved (U08): 0Transform Length (U16): 8 (0x8) bytesTransform Type (U08): DHGROUP/4 (0x04)Reserved (U08): 0Transform ID (U16): UNKNOWN/30 (0x001E)
- By default the mobike is enabled in strongswan, while Cisco SeGW doesn't support it. The tunnel is created without any problem. However, all packets encrypted with ESP is received by SeGW, but "somehow" not recognized. For example, encrypted ping request is received by SeGW, but not decrypted and is dropped.
And on strongswan PC, all encrypted ping from SeGW is not received.
FIX: Disable mobike will fix this issue.